Friday, June 21, 2024

Hackers Started using Python for Developing New Ransomware

Ransomware has been one of the top threats to organizations, contributing several millions of dollars to multiple organizations worldwide.

Most of these ransomware operators infiltrate the systems, steal sensitive data, and lock the systems with ransomware.

There have been a variety of ransomware activities in the past, such as WannaCry, GandCrab, and many others.

Most of the ransomware operators use custom-written ransomware for their operations. However, there has been a rise in Python-based ransomware variants in recent years.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

New Python Ransomware

According to the K7 labs report, a recent ransomware sample was found and investigated. It turned out to be written in Python, which is not common. The ransomware binary was checked in VirusTotal and was detected by 47 antivirus providers.

Virustotal Analysis (Source: K7 Security Labs)
Virustotal Analysis (Source: K7 Security Labs)

The malicious file was found to be an executable file compiled in C++. Moreover, the executable file had a PDF icon as a means of disguising its original extension. To further investigate, the malicious PDF file was extracted with pyinstxtractor. Further analysis revealed the main source code file under the name “grinchv3.pyc”.

PDF and pyinstxtractor (Source: K7 Security Labs)
PDF and pyinstxtractor (Source: K7 Security Labs)

Behavioral Analysis

The script was written with several lines of code under a single class named “sweet.” The __init__ function of the class gathers additional information and performs the following functions.

  • Fetches the current user of the victim machine
  • Drive partition scanning (A:\ to Z:\ is scanned)
  • Determining the Type of files to encrypt

Moreover, the encryption is started only after adding the unlock notes under the name “UNLOCK MY FILES.txt” on all the file paths that are about to be encrypted. For encryption, the Fernet Python cryptography module was used. After encrypting, a pop-up message is configured to be shown to the user.

All the encrypted files are under the extension “.enc” and remain unreadable after the ransomware encrypts them. Furthermore, the ransom notes include the email address of the attacker to contact for decryption.

Ransom Note (Source: K7 Security Labs)
Ransom Note (Source: K7 Security Labs)

K7 Security Labs has published a complete report about this new Python ransomware variant. It provides detailed information about this new Python-based ransomware source code, encryption methodology, and experimental and behavioral analysis.

Indicators of Compromise

HashDetection Name
C967B8198501E3CE3A0E323B37D94D15Trojan ( 005af6051 )

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles